Skip to content

Commit

Permalink
Fix Filebeat Zeek Weird Ingest Pipeline (#15906)
Browse files Browse the repository at this point in the history
* Update pipeline.json
* Fix zeek weird pipeline
  • Loading branch information
0huey authored Feb 3, 2020
1 parent 1c32be3 commit 6b9c8cb
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590]
- Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656]
- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765]
- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906]
- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942]
- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900]

Expand Down
6 changes: 4 additions & 2 deletions x-pack/filebeat/module/zeek/weird/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,15 @@
{
"set": {
"field": "source.ip",
"value": "{{source.address}}"
"value": "{{source.address}}",
"if": "ctx?.source?.address != null"
}
},
{
"set": {
"field": "destination.ip",
"value": "{{destination.address}}"
"value": "{{destination.address}}",
"if": "ctx?.destination?.address != null"
}
}
],
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/zeek/weird/test/weird-json.log
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
{"ts":1543877999.99354,"uid":"C1ralPp062bkwWt4e","id.orig_h":"192.168.1.1","id.orig_p":64521,"id.resp_h":"192.168.1.2","id.resp_p":53,"name":"dns_unmatched_reply","notice":false,"peer":"worker-6"}
{"ts":1580227259.342809,"name":"non_ip_packet_in_ethernet","notice":false,"peer":"ens3f1-4"}
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,20 @@
"zeek.weird.name": "dns_unmatched_reply",
"zeek.weird.notice": false,
"zeek.weird.peer": "worker-6"
},
{
"@timestamp": "2020-01-28T16:00:59.342Z",
"event.dataset": "zeek.weird",
"event.module": "zeek",
"fileset.name": "weird",
"input.type": "log",
"log.offset": 197,
"service.type": "zeek",
"tags": [
"zeek.weird"
],
"zeek.weird.name": "non_ip_packet_in_ethernet",
"zeek.weird.notice": false,
"zeek.weird.peer": "ens3f1-4"
}
]

0 comments on commit 6b9c8cb

Please sign in to comment.